Today’s web applications are a mix of existing online libraries and data that are combined to write applications in a rapid and inexpensive manner. Moreover, the last decades have witnessed an accelerating trend to integrate not only documents and code but also the so called Web of Things that uses web applications to connect homes, cars, appliances, and other physical devices. However, this same flexibility together with the mix of heterogeneous technologies make the task of programming secure web applications and protecting users against exploits very complex. As web applications are becoming essential in people’s life, web and browser vulnerabilities as well as privacy issues associated with web technologies such as tracking and fingerprinting have become a major threat that people face today.

Challenges regarding security and privacy issues of web technology include the handling of injections in clients and servers due to the mix of technologies, the inclusion of untrusted code as a common practice, the protection of web sessions implemented over HTTP, the lack of languages available on the client side, the complexity of the JavaScript language, the main language for web pages, and the complexity of the browser infrastructure. Developers and users are facing an unprecedented need of security mechanisms to help identify, mitigate, and remove web vulnerabilities.

Academic web security research has started in 2007 and since then there has been three dedicated web application security meetings in Dagstuhl (Europe) in 2009, 2012, and 2018 to gather and encourage discussions among researchers and industry leaders in the area. This meeting will follow the series and be held for the first time in Asia. The aim of this meeting is to provide a forum to

• Discuss recent developments and issues in security and privacy of web technology , as for example the lack of scalable program analysis tools to identify vulnerabilities including XSS, privacy leaks in web applications. In particular, server-side of the logic in web applications has not been included in previous analyses, which are the consequences of this?
• Discuss the effectiveness of security mechanisms in face of the current overall vulnerability landscape

In particular, we plan to address the following questions: what do formal methods bring to web security and privacy in practice? Which security analyses are appropriate in face of the heterogeneity of technologies required in modern web applications? The heterogeneity and new security threats of Web of Things technology makes analysis or enforcing security policies even more difficult: which are the new security and privacy concerns in the Web of Things? How to bring state of the art to practice? What are the actual obstacles that prevent the technology from being applied? The steep learning curve (usability of the tool), and infrastructure depen-dency makes it difficult to keep a tool up to date with the newest infrastructure (e.g., tools that require heavy modification of software infrastructure such as Chrome simply cannot keep up with Google’s frequent updates to Chrome). One research direction would be to develop techniques that are infrastructure independent.

To promote discussions, we plan to organise breakout sessions with time to discuss different topics. We will encourage tutorials, brainstorming and working-group sessions rather than mere conference-like presentations.

[1] Web Application Security. Dan Boneh, Ulfar Erlingsson, Martin johns, and Benjamin Livshits. Dagstuhl 2009. https://www.dagstuhl.de/en/program/calendar/semhp/?semnr=09141

[2] Web Application Security. Lieven Desmet, Martin Johns, Benjamin Livshits, and Andrei Sabelfeld. Dagstuhl 2012. https://www.dagstuhl.de/en/program/calendar/semhp/?semnr=12401

[3] Web Application Security. Martin Johns, Nick Nikiforakis, Melanie Volkamer, and john Wilander. Dagstuhl 2018. https://www.dagstuhl.de/en/program/calendar/semhp/?semnr=183212